]>
Commit | Line | Data |
---|---|---|
1 | #!/bin/sh | |
2 | ||
3 | set -e | |
4 | unset GREP_OPTIONS | |
5 | ||
6 | # We don't use a secret keyring, of course, but gpg panics and | |
7 | # implodes if there isn't one available | |
8 | SECRETKEYRING="$(mktemp)" | |
9 | trap "rm -f '${SECRETKEYRING}'" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM | |
10 | GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring ${SECRETKEYRING}" | |
11 | ||
12 | if [ "$(id -u)" -eq 0 ]; then | |
13 | # we could use a tmpfile here too, but creation of this tends to be time-consuming | |
14 | eval $(apt-config shell TRUSTDBDIR Dir::Etc/d) | |
15 | GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg" | |
16 | fi | |
17 | ||
18 | GPG="$GPG_CMD" | |
19 | ||
20 | MASTER_KEYRING="" | |
21 | ARCHIVE_KEYRING_URI="" | |
22 | #MASTER_KEYRING=/usr/share/keyrings/debian-master-keyring.gpg | |
23 | #ARCHIVE_KEYRING_URI=http://ftp.debian.org/debian/debian-archive-keyring.gpg | |
24 | ||
25 | ARCHIVE_KEYRING=/usr/share/keyrings/debian-archive-keyring.gpg | |
26 | REMOVED_KEYS=/usr/share/keyrings/debian-archive-removed-keys.gpg | |
27 | ||
28 | requires_root() { | |
29 | if [ "$(id -u)" -ne 0 ]; then | |
30 | echo >&1 "ERROR: This command can only be used by root." | |
31 | exit 1 | |
32 | fi | |
33 | } | |
34 | ||
35 | add_keys_with_verify_against_master_keyring() { | |
36 | ADD_KEYRING=$1 | |
37 | MASTER=$2 | |
38 | ||
39 | if [ ! -f "$ADD_KEYRING" ]; then | |
40 | echo "ERROR: '$ADD_KEYRING' not found" | |
41 | return | |
42 | fi | |
43 | if [ ! -f "$MASTER" ]; then | |
44 | echo "ERROR: '$MASTER' not found" | |
45 | return | |
46 | fi | |
47 | ||
48 | # when adding new keys, make sure that the archive-master-keyring | |
49 | # is honored. so: | |
50 | # all keys that are exported must have a valid signature | |
51 | # from a key in the $distro-master-keyring | |
52 | add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5` | |
53 | master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5` | |
54 | for add_key in $add_keys; do | |
55 | ADDED=0 | |
56 | for master_key in $master_keys; do | |
57 | if $GPG_CMD --keyring $ADD_KEYRING --list-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then | |
58 | $GPG_CMD --quiet --batch --keyring $ADD_KEYRING --export $add_key | $GPG --import | |
59 | ADDED=1 | |
60 | fi | |
61 | done | |
62 | if [ $ADDED = 0 ]; then | |
63 | echo >&2 "Key '$add_key' not added. It is not signed with a master key" | |
64 | fi | |
65 | done | |
66 | } | |
67 | ||
68 | # update the current archive signing keyring from a network URI | |
69 | # the archive-keyring keys needs to be signed with the master key | |
70 | # (otherwise it does not make sense from a security POV) | |
71 | net_update() { | |
72 | if [ -z "$ARCHIVE_KEYRING_URI" ]; then | |
73 | echo >&2 "ERROR: Your distribution is not supported in net-update as no uri for the archive-keyring is set" | |
74 | exit 1 | |
75 | fi | |
76 | requires_root | |
77 | # in theory we would need to depend on wget for this, but this feature | |
78 | # isn't useable in debian anyway as we have no keyring uri nor a master key | |
79 | if ! which wget >/dev/null 2>&1; then | |
80 | echo >&2 "ERROR: an installed wget is required for a network-based update" | |
81 | exit 1 | |
82 | fi | |
83 | if [ ! -d /var/lib/apt/keyrings ]; then | |
84 | mkdir -p /var/lib/apt/keyrings | |
85 | fi | |
86 | keyring=/var/lib/apt/keyrings/$(basename $ARCHIVE_KEYRING) | |
87 | old_mtime=0 | |
88 | if [ -e $keyring ]; then | |
89 | old_mtime=$(stat -c %Y $keyring) | |
90 | fi | |
91 | (cd /var/lib/apt/keyrings; wget -q -N $ARCHIVE_KEYRING_URI) | |
92 | if [ ! -e $keyring ]; then | |
93 | return | |
94 | fi | |
95 | new_mtime=$(stat -c %Y $keyring) | |
96 | if [ $new_mtime -ne $old_mtime ]; then | |
97 | echo "Checking for new archive signing keys now" | |
98 | add_keys_with_verify_against_master_keyring $keyring $MASTER_KEYRING | |
99 | fi | |
100 | } | |
101 | ||
102 | update() { | |
103 | if [ ! -f $ARCHIVE_KEYRING ]; then | |
104 | echo >&2 "ERROR: Can't find the archive-keyring" | |
105 | echo >&2 "Is the debian-archive-keyring package installed?" | |
106 | exit 1 | |
107 | fi | |
108 | requires_root | |
109 | ||
110 | # add new keys from the package; | |
111 | ||
112 | # we do not use add_keys_with_verify_against_master_keyring here, | |
113 | # because "update" is run on regular package updates. A | |
114 | # attacker might as well replace the master-archive-keyring file | |
115 | # in the package and add his own keys. so this check wouldn't | |
116 | # add any security. we *need* this check on net-update though | |
117 | $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import | |
118 | ||
119 | if [ -r "$REMOVED_KEYS" ]; then | |
120 | # remove no-longer supported/used keys | |
121 | keys=`$GPG_CMD --keyring $REMOVED_KEYS --with-colons --list-keys | grep ^pub | cut -d: -f5` | |
122 | for key in $keys; do | |
123 | if $GPG --list-keys --with-colons | grep ^pub | cut -d: -f5 | grep -q $key; then | |
124 | $GPG --quiet --batch --delete-key --yes ${key} | |
125 | fi | |
126 | done | |
127 | else | |
128 | echo "Warning: removed keys keyring $REMOVED_KEYS missing or not readable" >&2 | |
129 | fi | |
130 | } | |
131 | ||
132 | ||
133 | usage() { | |
134 | echo "Usage: apt-key [--keyring file] [command] [arguments]" | |
135 | echo | |
136 | echo "Manage apt's list of trusted keys" | |
137 | echo | |
138 | echo " apt-key add <file> - add the key contained in <file> ('-' for stdin)" | |
139 | echo " apt-key del <keyid> - remove the key <keyid>" | |
140 | echo " apt-key export <keyid> - output the key <keyid>" | |
141 | echo " apt-key exportall - output all trusted keys" | |
142 | echo " apt-key update - update keys using the keyring package" | |
143 | echo " apt-key net-update - update keys using the network" | |
144 | echo " apt-key list - list keys" | |
145 | echo " apt-key finger - list fingerprints" | |
146 | echo " apt-key adv - pass advanced options to gpg (download key)" | |
147 | echo | |
148 | echo "If no specific keyring file is given the command applies to all keyring files." | |
149 | } | |
150 | ||
151 | # Determine on which keyring we want to work | |
152 | if [ "$1" = "--keyring" ]; then | |
153 | #echo "keyfile given" | |
154 | shift | |
155 | TRUSTEDFILE="$1" | |
156 | if [ -r "$TRUSTEDFILE" ] || [ "$2" = 'add' ]; then | |
157 | GPG="$GPG --keyring $TRUSTEDFILE --primary-keyring $TRUSTEDFILE" | |
158 | else | |
159 | echo >&2 "Error: The specified keyring »$TRUSTEDFILE« is missing or not readable" | |
160 | exit 1 | |
161 | fi | |
162 | shift | |
163 | # otherwise use the default | |
164 | else | |
165 | #echo "generate list" | |
166 | TRUSTEDFILE="/etc/apt/trusted.gpg" | |
167 | eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring) | |
168 | eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f) | |
169 | if [ -r "$TRUSTEDFILE" ]; then | |
170 | GPG="$GPG --keyring $TRUSTEDFILE" | |
171 | fi | |
172 | GPG="$GPG --primary-keyring $TRUSTEDFILE" | |
173 | TRUSTEDPARTS="/etc/apt/trusted.gpg.d" | |
174 | eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d) | |
175 | if [ -d "$TRUSTEDPARTS" ]; then | |
176 | #echo "parts active" | |
177 | for trusted in $(run-parts --list $TRUSTEDPARTS --regex '^.*\.gpg$'); do | |
178 | #echo "part -> $trusted" | |
179 | GPG="$GPG --keyring $trusted" | |
180 | done | |
181 | fi | |
182 | fi | |
183 | #echo "COMMAND: $GPG" | |
184 | ||
185 | command="$1" | |
186 | if [ -z "$command" ]; then | |
187 | usage | |
188 | exit 1 | |
189 | fi | |
190 | shift | |
191 | ||
192 | if [ "$command" != "help" ] && ! which gpg >/dev/null 2>&1; then | |
193 | echo >&2 "Warning: gnupg does not seem to be installed." | |
194 | echo >&2 "Warning: apt-key requires gnupg for most operations." | |
195 | echo >&2 | |
196 | fi | |
197 | ||
198 | case "$command" in | |
199 | add) | |
200 | requires_root | |
201 | $GPG --quiet --batch --import "$1" | |
202 | echo "OK" | |
203 | ;; | |
204 | del|rm|remove) | |
205 | requires_root | |
206 | $GPG --quiet --batch --delete-key --yes "$1" | |
207 | echo "OK" | |
208 | ;; | |
209 | update) | |
210 | update | |
211 | ;; | |
212 | net-update) | |
213 | net_update | |
214 | ;; | |
215 | list) | |
216 | $GPG --batch --list-keys | |
217 | ;; | |
218 | finger*) | |
219 | $GPG --batch --fingerprint | |
220 | ;; | |
221 | export) | |
222 | $GPG --armor --export "$1" | |
223 | ;; | |
224 | exportall) | |
225 | $GPG --armor --export | |
226 | ;; | |
227 | adv*) | |
228 | echo "Executing: $GPG $*" | |
229 | $GPG $* | |
230 | ;; | |
231 | help) | |
232 | usage | |
233 | ;; | |
234 | *) | |
235 | usage | |
236 | exit 1 | |
237 | ;; | |
238 | esac |